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ON THE DANGER OF REDUNDANCIES IN SOME AEROSPACE MECHANISMS* 


M. Chew** 


ABSTRACT 


This paper attempts to show that redundancies in some aerospace mechanisms do 
not generally improve the odds for success • Some of these redundancies may even 
be the very cause for failure of the system. To illustrate this fallacy, two 
designs based on the Control of Flexible Structures I (COFS I) Mast deployer and 
retractor assembly (DRA) are presented together with novel designs to circumvent 
such design inadequacies, while improving system reliability. 


INTRODUCTION 


One of the general principles held closely and dearly by mechanical designers 
and engineers is the incorporation of redundancies in the design of their mechani- 
cal and electromechanical systems. For good system reliability, redundancies are 
incorporated to improve the chances for success, and generally do; however, there 
are some types of redundancies that fail to do so. In fact, this paper, in 
describing two aerospace mechanism designs, will illustrate that some redundancies 
may decrease the chances for system success. Although the set of such undesirable 
types of redundancies described herein is small, it is worth documenting such 
types that do not perform to expectation. Other approaches can be taken instead 
to improve the odds. Redundancies can also introduce other penalties (such as 
space, weight, efficiency and fabrication costs) which should be weighed against 
the expected benefits of the redundancies introduced into the system. 

One type of redundancy that is undesirable relates to conditions within the 
system. A given failure of a component or subsystem may change the environment such 
that the redundant component or subsystem does not perform to its expected level. 
Such a redundancy degradation can, at times, be anticipated so that designs around 
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the obstacle can be adopted. As an example, failures occurred in some recent 
development and deployment tests conducted on the Magellan (Venus Mapper) 
Spacecraft when a particular lot of pyrotechnic pin pullers, ones that incorporate 
a redundant initiator, failed to function properly. As part of an engineering 
evaluation, the contractor conducting the tests determined that 

1. The shock pulse from the first initiator could prove sufficient 
to permanently distort the bore of the pin puller, thereby 
preventing piston motion. A subsequent firing of the second 
initiator would not improve this situation. Fabrication and 
quality assurance problems were also present in these units. 

2. Further design consideration by others revealed that if the 
first initiator's output was insufficient, firing this initi- 
ator could contaminate the interior surface with sufficient 
particulate deposits to inhibit free piston movement if such 
movement had not already taken place. It is possible that 
enough particulate contamination could be introduced between 
the piston and bore to prevent any piston motion with a subse- 
quent firing of the second initiator. 

This paper considers another type of undesirable redundancy which introduces 
a condition of over constraint to aerospace mechanisms. To adequately explain and 
illustrate this type of redundancy, two mechanism designs within the COFS I DRA 
will be used to show how such a type of redundancy can actually be the cause for 
system failure. The two mechanisms are the lead-screw drive and the diagonal 
fold-arm bell-crank linkage. In the sections that follow, a description is given 
of the design of each of these mechanisms, how they function within the COFS I 
DRA, how their expected redundancy can cause failure, and how the design can be 
improved. 


BACKGROUND 


As a subset of COFS I, the Mast Flight System (MFS) , figure 1, incorporating 
a reusable, deployable-restowable truss beam as a test bed, was conceived to 
bridge the gap between ground and on-orbit modal verification, and validation of 
control methodologies. A description of the specific subsystems of the MFS, of 
which the deployer and retractor assembly (DRA) is one of the major functional 
components, can be found in reference 1. 


OPERATION OF THE COFS DEPLOYER/RETRACTOR ASSEMBLY (DRA) 


The main function of the DRA is to deploy and retract the beam out of and 
into the Shuttle payload bay in a continuous, smooth motion. This sequence of 
deployment and retraction is shown in figure 2. Figure 3 shows the DRA with 
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the beam partially deployed. Central to the DRA is an annular box called the 
upper drive assembly. This box contains two sets of mechanisms. One is a gear 
train designed for simultaneous power transmission to three lead-screws used to 
deploy or retract the beam. The other is a spatial linkage designed to unlock and 
open the beam’s diagonal latches and hence initiate folding of the beam during the 
retraction process. These mechanisms are illustrated in figure 4. 

The deploy or restow drive mechanism is powered by a deployer motor via a 
gearbox so as to enable the lead-screws to change their direction and speed of 
rotation. The mechanism consists of six drive shafts, laid end-to-end to form a 
loop, much like the sides of a hexagon. At the ends of each shaft are bevel 
gears, so that power may be transmitted from one shaft to. the next, around this 
hexagonal loop, back to itself. Power take-offs for the lead-screws occur at 
every other set of beveled gears. The redundancy arises from the continuous 
loop — failure of any drive shaft or bevel gear will not disrupt the ability of 
this mechanism to transmit power to the set of three lead-screws. Such a gearing 
system is called a recirculating gear train [references 2-4]. Other types of 
power recirculating arrangements have been used in the testing of belts and chain 
drives [references 5 and 6]. 

In the process of deploying the beam, the deployer drive motor rotates in a 
direction such that the lead-screws move the nodal fittings (corner bodies) 
located at the corners of the beam. As the corner bodies ride along the lead- 
screws, the immediate folded stack bay of the beam begins to unfold. Since the 
lead-screw rotation is continuous, the unfolding, and hence the deployment of the 
beam, is smooth and continuous. The reverse is also true for the retraction of 
the beam. At the deployed position for each beam bay-pair, the diagonal links are 
straightened and the mid-span hinges and latches are spring loaded so that the 
beam behaves as a structure. 

To begin retracting the beam, the same spring loaded latches on the diagonal 
links must be unlocked to permit the diagonal links to fold. To fold these spring 
latches, the diagonal fold-arm drive system is used. Simultaneously, as these 
latches are being folded, the separate deployer motor is driving the lead-screws 
in the restow direction. This causes the corner bodies to move down into the DRA, 
thereby completing the folding and stowing of each bay-pair of the beam. This 
sequence is repeated until the beam is restowed. 

In the following sections, an examination of how redundancies in the lead- 
screw drive gear train and in the bell-crank linkage could be the very factors 
that can cause failures within the DRA will be presented. This examination begins 
with the bell-crank mechanism. 


BELL-CRANK LINKAGE 


In the bell-crank linkage (figure 4) that is located in the upper drive 
assembly (figure 3) of the DRA, a crank-and-rocker linkage, driven by the retractor 
motor through a diagonal fold-arm drive gear, is concatenated to the bell-crank. 
Rotation of the diagonal fold-arm drive motor results in oscillatory motion of the 
bell-crank linkage. This linkage consists of six triangular oscillatory members, 
or links, that are located at the corners of a hexagon. These triangular links 
are connected to each other by six straight members to form a hexagonal continuous 
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or closed-loop. While minimizing backlash, this loop is anticipated to provide 
redundancy in the event of failure of any of the bell-crank or straight link mem- 
bers. A power take-off at each alternate bell-crank, transfers the oscillatory 
motion of the bell-crank linkage drive to a spatial six-bar linkage that transmits 
power to the upper and lower diagonal fold-arms. These diagonal fold-arms press 
on the near-over-center hinge latches to effect folding of the diagonal during the 
initial stages of the retraction process for each bay-pair of the beam. 

Next, consider the six couplers that link the bell-cranks together to form 
the hexagonal loop. Normally, only five such links are needed. In the event any 
one of these links were to fail, a sixth coupler link was incorporated to complete 
the loop, thereby ensuring that the bell-crank linkage would still perform its 
function. In this way, a redundant power path to retract the beam back into the 
canister is still maintained to all the diagonal fold-arms should any coupler link 
fail. Such a redundancy has obvious advantages. It absolves the need for a 
totally separate system that would increase cost, weight, complexity and space 
requirements; and, according to the subcontract designers, it would also provide 
some degree of structural integrity to the mechanism in the form of lower system 
backlash. 

General Observations on Mobility 


Careful design considerations are needed to introduce this sixth coupler 
link. In fact, without judicious dimensional choices for the bell-crank mecha- 
nism, the resulting hexagonal loop (with the sixth coupler link) will act as a 
structure, not a mechanism and therefore will not move! A brief proof follows: 

A kinematic equivalent for an arbitrarily dimensioned bell- 
crank mechanism is shown in figure 5. In this figure, 
link #1 is the ground (fixed) link. Applying the degree-of- 
freedom (d.o.f.) equation attributed to Gruebler [reference 
7 and 8] for this linkage we have; 

Link #1 is the ground link. 

Using the d.o.f. equation, F ■ A (L-j-1) + Zf± 

Where for planar mechanism, 

A = Mobility number = 3 
L * Total # of links = 13, 
j = Total // of joints = 18, and 
f± = d.o.f. of the ith joint - 1. 

substituting F - 3(13-18-1) + 18 

so that F = 0 

Which states that the bell-crank mechanism is a zero d.o.f. system and is there- 
fore a structure and will not move! 

Special Dimensions for the Bell-Crank Mechanism 


There are special dimensional requirements for this linkage that will per- 
mit the bell-crank mechanism to exhibit a single d.o.f. The theory is based on 
that of a folding linkage [reference 8]. The folding linkage is a four-bar where 
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the dimensions of its opposite links are equal, such that the four-bar constitutes 
a parallelogram. A principal characteristic of the folding linkage is that any 
given angular rotation on the input link is exactly duplicated at the output link. 
Such a linkage therefore (a) ensures a design with one d.o.f., (b) allows the 
bell-crank and folding arm members to operate as a mechanism, and (c) maintains 
the synchronization of all the folding arms (upper and lower pairs) — a total of 
six in the DRA. Based on the characteristics of the folding linkage and on suf- 
ficiency conditions, a workable design for the bell-crank mechanism would be 

1. All coupler links must be the same length (from figure 5, they 
are links #3, 5, 7, 9, 11, 13), and that same length must also 
be equal to the distance between two adjacent ground pivots of 
the bell-cranks • 

2. All rocker links or sides of the bell-cranks (such as links 
#2a, 2b, 4a, 4b, 6a, 6b, 8a, 8b, 10a, 10b, 12a and 12b) are of 
the same length. 

3. The angles ( ot ) subtended by the bell-cranks at the pivots 
must all be equal to 60°. 

With the above special dimensions, the bell-crank mechanism will exhibit a 
single d.o.f. and will therefore move. Under this set of circumstances, the d.o.f. 
equation will no longer apply. While the above design simplifies the choice of 
dimensions, the number of parts are still a point of concern. The high part count 
contributes to problems in tolerance buildup, reliability, cost, weight and space. 
A more optimal approach to the design with improvements in all these factors will 
be discussed later. 

Danger of Over Constraint Redundancies 


The loop arrangement for the bell-crank mechanism ensures a dual path for 
power transmission to the upper and lower diagonal fold-arms in the event that a 
coupler link within the mechanism fails. However, this redundancy may only be 
academic. Recall that the bell-crank mechanism under general dimensions forms a 
structure and is therefore immobile. The introduction of the sixth coupler link 
as a redundancy has caused the mechanism to become over constrained. Fortunately, 
with special dimensional requirements, the bell-crank mechanism can be made 
movable with a single d.o.f. However, these special dimensional requirements 
must be observed at all times during the planned operation of the DRA. The 
problem is, in the hostile space environment, temperature gradients across the 
mechanism could cause these dimensional requirements to be violated. This could 
result in locking up the bell-crank mechanism (reverting it back to a structure) 
or could cause high link- and bearing-loadings within the mechanism. Even in the 
absence of temperature gradients, the costs and complexity of ensuring tight 
tolerancing may well be undesirable. 

This bell-crank mechanism therefore serves to illustrate the danger of 
introducing a redundancy into a mechanism that will result in an over constrained 
system. With special dimensional requirements, the mechanism may be made 
movable. However, the strict requirements of dimensional control in hostile 
environments may not be readily realized in practice. This could bring about 
failure of the system, ironically due to that very redundancy. 
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While this example is based on that for a linkage mechanism, the principle is 
equally applicable to gear drive mechanisms. The next section discusses the 
danger of such over constraint redundancies in the lead-screw drive mechanism of 
the DRA. 


LEAD-SCREW DRIVE MECHANISM 


The lead-screw drive mechanism is powered by a deployer motor via a gearbox 
which enables the lead-screws to change their direction and speed of rotation. In 
an arrangement similar to the bell-crank mechanism, the lead-screw drive mechanism 
consists of six drive shafts, laid end-to-end to form a loop, much like the sides 
of a hexagon shown in figure 4. At the ends of each shaft are bevel gears, so 
that power may be transmitted from one shaft to the next, around this hexagonal 
loop, back to itself. It can be seen that power take-offs for the lead-screws 
occur at every other set of beveled gears in the hexagonal loop. The redundancy 
arises from the continuous loop — failure of any drive shaft or bevel gear will not 
disrupt the ability of this mechanism to transmit power to the set of three lead- 
screws. Such a gearing system is called a recirculating gear train which can be 
found in many machines, although rather infrequently, for a good reason. 

A quick investigation into the general mobility of such a gear drive set-up 
would show a zero d.o.f. A brief proof for this system follows: 

Again applying the d.o.f. equation [reference 7 and 8] for 

this loop we have; 

With link #1 as the ground link. 

Using the d.o.f. equation, F -X(L-j-l) + E f ^ 

Where for planar mechanism, 

X = Mobility number « 3 
L = Total # of links = 13, 

j = Total # of joints = 24, and 

E f i = Total d.o.f. of all joints - 36. 

substituting F = 3(13-24-1) +36 =0 

so that F = 0 

Which states that, as in the bell-crank mechanism, this gear train has a zero 
d.o.f. and is therefore a structure! 

This gear train is only operable when special dimensions are instituted 
into the design. The difficulty of maintaining the special dimensions needed in 
recirculating gear trains testifies to the generally high tooth loadings and low 
power transmission efficiencies observed. This is precisely what is observed in 
gear torque testing machinery which also has similar recirculating gear train 
arrangements [reference 9] . With inadequate design, the resultant low power trans- 
mission efficiency could cause failure of the mechanism to perform its mission 
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satisfactorily, if at all. In fact, during tests of a DRA feasibility of concept 
model, a gear box failed and higher than predicted drive motor loads were 
experienced. This was believed due, in part, to a lack of recognition of the need 
to achieve and maintain special dimensions. 


RECOMMENDATION ON DESIGN IMPROVEMENTS 


The introduction of an additional link or drive shaft has caused the respective 
mechanisms to become over constrained. Such kinematic structures for power 
transfer, although commonly found within subcomponents such as constant velocity 
joints and universal joints [references 10 and 11], may not be suitable for 
aerospace applications. Therefore other approaches should be pursued. 

One approach to eliminate the effects of over constraint within the system is 
not to introduce it in the first place. For example, it is possible to design the 
coupler links and the gear shafts to ensure that their failure would not occur. 

Such would be the simplest approach if that is possible within the available space 
and weight requirements. 

Another approach is to use circular ring gear arrangements as illustrated in 
figure 6. This design consists of two large ring gears that rotate concentric to 
the axis of the canister. The innermost ring gear is driven by the deployer motor 
and power is fed off to three gears to drive each of the three lead-screws. The 
use of a ring gear makes the process of coordinating the rotation of the lead- 
screws a trivial matter when compared to the present design. 

In a similar manner, the outermost ring gear driven by the diagonal folding 
mechanism motor, pushes and pulls on three push-pull cables as it oscillates back 
and forth. These cables, after going through a very gradual 90° turn to orient 
them parallel to the beam axis, drive the upper diagonal fold-arms which in turn 
are coordinated with the respective lower diagonal fold-arms via a coupler link. 

To save weight, this ring gear could be made up of gear sectors. 

In comparison to the present design, this ring gear arrangement would save 
space, reduce part count, and improve reliability. 


SUMMARY 


Two designs of mechanisms that have redundancies built-in have been shown, 
paradoxically, to be the very elements that can cause failure of the mechanism to 
perform its function. In each of these designs, the introduction of the redun- 
dancy causes the mechanism to become kinematically over constrained. While the 
over constraint may be eliminated with special dimensional requirements placed 
on the mechanism, these requirements may not be achievable in the hostile environ- 
ment of space. 

While redundancies do indeed generally improve the odds for mission success, 
redundancies also exist that do not follow this general philosophy. The 
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dangers of such fallacies, if unexplored and not emphasized, may lead to 
significant redesign or loss of valuable experiments* 
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Figure 1.- Deployed 60 Meter Mast Beam 
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DRA FUNCTION 

(DRA Not Shown For Simplicity) Retraction 
Deployment 6 diagonals 

delatch and unfold 




6 diagonal locks and folds diagonals 
• Deployer restacks mast 


Figure 2.- Mast Beam Dep loyment /Ret rac t ion Sequence 


DRA DEPLOYED, BEAM DEPLOYED 



Figure 3.- DRA Deployed, Beam Partially Deployed 
(Typical Retractor Device Shown) 
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Lead-Screw Motor 


SIDE VIEW 


BOTTOM VIEW 



Push-Pull Cable 


Lead-Screw Motor 



Lead-Screw Ring Gear 

Figure 6*- Circular Gear Arrangement 


